Flow Mapping® in Action at Interop

By: John Mattes

One of the top value propositions that GigaVUE customers experience is a reduction of traffic to manageable levels so that they can monitor 10G network links with 1G tools or if they want to reduce the amount of data any tool is seeing to improve performance as the network monitoring tool does not have to process data irrelevant to that tool.  This is all accomplished using Gigamon’s patented Flow Mapping technology. Flow Mapping technology is a filtering technology that creates very detailed traffic distribution policy on multiple aggregated network ports.  These policies, called Map Rules, can send specific data to specific tools all at full line rate. Once a user creates a Flow Mapping policy the map is distributed and bound to the ingress network ports.  The main advantage of the map is that you can easily modify the rules across multiple ports with little effort.  Even when the map is bound users can use pass-alls to send unfiltered data to tools without disturbing the filtering that is in place. 

To simulate Flow  Mapping,  I enlisted the help of one of the Monitoring Tool Providers, NetScout. The InteropNet NOC is one of the most heavily attacked networks when the network goes live.  To demonstrate Flow Mapping I created rule sets that diverted attack attempts to a separate port.  Some of the traffic I diverted were SQL attacks, SMB over IP attacks used to gain access to personal computers, and attacks over port 22.  Below is a screenshot of traffic levels before and after filtering.

In the beginning of the bar chart you can see the effect of filtering on traffic.  Just to validate, I unloaded the Flow Map and then re-enabled around 10am.  The bottom red line represents the traffic level with filtering and the top red line represents filtering without the filtering.  You can see that with filtering traffic going to the NetScout Infinistream was roughly 40 Mb/sec.  Without filtering traffic was roughly 120 Mb/sec or higher.  By enabling the filtering I was able to reduce traffic levels over 200%.  This reduction of traffic can make a huge difference for tools that inspect large amount of data.

 

This is the complete report for those that are interested in data that we are capturing here at the InteropNet NOC.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s